Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help me diagnose a HJT Log


  • Please log in to reply
3 replies to this topic

#1 kosmycus69

kosmycus69

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 09 February 2005 - 02:17 PM

Hi there!!

Hope someone can hear my prayer...I've been having some problems with my pc in the last few days...don't know what else to do... :thumbsup:

I use PcCillin 2002 antivirus and his firewall...it's all updated: windows, antivirus, browser,... but in the last 3/4 days a message is showing saying i have a virus: expl_jpgdown.a !!! I deleted the file and ran the antivirus, including the online scanning and nothing!!! Not a single virus detected...that's odd!! :flowers: But again it shows in the next internet connection...Really, i've been going crazy with this...i read all stuff in antivirus sites and still don't get it...
Please help!!!

Here my HJT log to analyse:

Logfile of HijackThis v1.99.0
Scan saved at 19:16:25, on 09-02-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
Z:\Programas\CfosSpeed\spd.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Programas\Analog Devices\SoundMAX\SMAgent.exe
C:\Programas\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Programas\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\System32\rundll32.exe
C:\Programas\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Programas\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Programas\Trend Micro\PC-cillin 2002\Pop3trap.exe
Z:\Programas\CfosSpeed\cFosSpeed.exe
C:\Programas\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programas\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sapo.pt/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - Z:\Programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [pccguide.exe] "C:\Programas\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Programas\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Programas\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [cFosSpeed] Z:\Programas\CfosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCTVRemote] C:\Programas\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1107731822310
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B14ADE9-1E87-448F-85A6-19719F5A9A5D}: NameServer = 194.65.100.117
O17 - HKLM\System\CS1\Services\Tcpip\..\{6B14ADE9-1E87-448F-85A6-19719F5A9A5D}: NameServer = 194.65.100.117
O23 - Service: cFosSpeed System Service - Unknown - Z:\Programas\CfosSpeed\spd.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC-cillin PersonalFirewall - Trend Micro Inc. - C:\Programas\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Programas\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend NT Realtime Service - Trend Micro Inc. - C:\Programas\Trend Micro\PC-cillin 2002\Tmntsrv.exe



Is anything wrong???

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:24 PM

Posted 10 February 2005 - 11:21 AM

Where is it saying its finding this? I dont see anyting wrong with this log.

#3 kosmycus69

kosmycus69
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 10 February 2005 - 12:04 PM

Hi! First of all, thanks for your time. My antivirus (PcCillin 2002) sometimes reports that virus in my system with the usual "pop-up" saying "PcCillin found a virus in you system" and gives me two options: quarantine or emergency lock. I choose quarantine and then delete the file that the virus creates: "system32me.jpg".
I noticed from previous HJT logs from other users that they have to delete a file named "win32rar.exe"... before i ran HJThis that file showed in my system and i deleted it... Could have been that file the source of the problem? 'Cause today that message of virus didn't showed up...

Big thanks.


P.S. The exact location of the file that the virus creates is C:\Windows\system32me.jpg

Edited by kosmycus69, 10 February 2005 - 12:07 PM.


#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:24 PM

Posted 10 February 2005 - 08:57 PM

Yes its possible that the other file was causing the problem. You should run this online scanner to see if it finds anything else, but as far as I can see you are clean:

http://www3.ca.com/securityadvisor/virusinfo/scan.aspx




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users